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© Reproduction of secure keys by using distributed key generation data. 



© A key security system provides for the reproduc- 
tion of secure keys by using distributed key genera- 
tion data and a distributed encrypted prekey. The 
system encrypts program key generation data (17) 
with a program key prekey (18) in accordance with a 
first encryption algorithm to produce the program 
key (20): processes the program key (20) to produce 
a keystream (25); and processes an information sig- 
nal (26) with the keystream to produce a scrambled 
information signal (27). The program key prekey (18) 
is encrypted with a category key (22) in accordance 
with a second encryption algorithm to produce an 

3 encrypted program key prekey (23). The scrambled 
information signal (27) the program key generation 
data (17) and the encrypted program key prekey 
^(23) are distributed to descramblers. The descram- 
00 bier within the key security system decrypts the 
-^distributed encrypted program key prekey (23) with 
^ the category key (22) in accordance with the second 
CO encryption algorithm to reproduce the program key 
q prekey (18); encrypts the distributed program key 
generation data (17) with the reproduced program 
O-key prekey (18) in accordance with the first encryp- 
^tion algorithm to reproduce the program key (20); 
processes the reproduced program key (20) to re- 



produce the keystream (25); and processes the dis- 
tributed scrambled information signal (27) with the 
reproduced keystream (25) to descramble the dis- 
tributed scrambled information signal. The key gen- 
eration data includes authorization data that must be 
processed by the authorization processor (35) in the 
descrambfer in order to enable the descrambler. The 
use of authorization data as key generation data 
protects the authorization data from spoofing attacks. 
When more data must be protected than a single 
operation of the encryption algorithm can support, 
then additional data blocks are protected by chaining 
the system, wherein the output from one stage forms 
part of the input to the next. The key generation data 
for the program key includes a sequence number 
securely associated with the category key to thereby 
"timelock" program key reproduction to the use of a 
current category key and thus prevent an attack 
based upon the use of an obsolete category key. 
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REPRODUCTION OF SECURE KEYS BY USING DISTRIBUTED KEY GENERATION DATA 



BACKGROUND OP THE INVENTION 

The invention pertains to descrambling and de- 
cryption systems used in communications networks 
in which individual descramblers may be selec- 
tively authorized for access to the services pro- 
vided by the network. 

All such systems require the secure delivery of 
authorization data to the descrambler. Security of 
the signal carrying the services is obtained by a 
technique of ensuring that any tampering of the 
messages delivering the authorization data causes 
a violation of the authorization conditions required 
by the descrambler for providing successful access 
to the network. Examples of such technique are 
described below. 

A classical "signature verification" technique, 
which is described by D.E.R. Denning 
"Cryptography and Data Security", Addison-Wes- 
ley, 1983, as applied to this type of communica- 
tions system, requires the authorization message 
delivered to the descrambler to contain a data 
block which contains a known value of sufficient 
size encrypted under a key shared between the 
descrambier and the originator of the message. If 
the descrambler obtains the known value after de- 
cryption, then it accepts the message as describing 
the legitimate conditions for authorization. 

A "data comparison" technique described in 
"Specification for Conditional Access Receivers", 
Draft NR-MSK Specification Vedlegg 4, October 
1987), requires an unknown value of a sufficiently 
large number of bits to be repeated twice in the 
encrypted portion of the authorization message. If 
the descrambler finds, after decryption, that the two 
blocks match then it accepts the message as de- 
scribing the legitimate conditions for authorization. 

A "selective delivery" technique described in 
U.S. Patent No. 4,613,901 to Klein S. Gilhousen, 
Charles F. Newby, Jr. and Karl E. Moerder, utilizes 
a hierarchy of secret keys to provide access con- 
trol. Each level of the hierarchy is associated with 
an address. If the descrambler does not possess 
one of the appropriate addresses, it does not re- 
ceive the message destined for the address con- 
taining the secret key for that level of the hierarchy. 
Since the secret key at each level of the hierarchy 
Is encrypted under the secret key of the next level, 
an attacker cannot substitute a message intended 
for a different address, 

A "key modification" technique described in 
U.S. Patent No. 4,712,238 to Klein S. Gilhousen, 
Jerrold A. Heller, Michael V. Harding and Robert D. 
Blakeney, is similar to the "selective delivery" 
technique, but delivers authorization data along 



with the secret k ys. The authorization data is in 
the clear, but is used to alter the secret keys in 
such a way that any attempt to modify the clear 
data causes incorrect generation of the secret keys 
5 when the descrambler performs the decryption op- 
eration. Since the descrambier then possesses the 
incorrect keys, it will not correctly decrypt the 
signal. 

All these systems protect the authorization data 

io against tampering based on modification to the 
authorization messages, where such modification is 
based solely on knowledge of the contents of the 
message and on the operation of the system. How- 
ever, if an attacker is able to gain additional in- 

75 formation about the keys in use by the descram- 
bler, e.g. through theft of key lists, then the ser- 
vices are open to attacks known as "spoofing". In 
these attacks, the attacker intercepts the authoriza- 
tion message, decrypts certain portions of it, sub- 

20 stitutes data desired by the attacker, and reen- 
crypts the substituted message under the key 
known to be held by the descrambler. The resul- 
tant message is delivered to the descrambler, 
causing the descrambler to authorize incorrectly. 

25 An object of the present invention is to render 

such attacks null and void, either immediately, or 
upon replacement of the compromised keys by the 
message originator. As a result of this, an attacker 
is forced either to compromise the descrambier 

30 hardware or to obtain the most basic keys, which 
cannot be changed because they are fixed ms'ide 
the descrambler hardware. 



35 SUMMARY OF THE INVENTION 

The present invention provides a key security 
system and a descrambler for reproducing secure 
keys by using distributed key generation data and 

40 a distributed encrypted prekey. 

The key security system of the present inven- 
tion includes means for encrypting first-key genera- 
tion data with a first-key prekey in accordance with 
a first encryption algorithm to produce a first key; 

45 means for processing the first key to produce a 
keystream; means for processing an information 
signal with the keystream to produce a scrambled 
information signal; means for encrypting the first- 
key prekey with a second key in accordance with a 

so second encryption algorithm to produce an encryp- 
ted first-key prekey; means for distributing the 
scrambled information signal, the first-key genera- 
tion data and the encrypted first-key prekey; and a 
descrambler, including means for providing the 
second key; means for decrypting the distributed 
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encrypted first-key prekey with the s cond k y in 
accordance with the second encryption algorithm 
to reproduc the first-key prek y; means for en- 
crypting the distributed first-key gen ration data 
with the reproduced first-key prekey in accordance 
with the first encryption algorithm to reproduce the 
first key; means for processing the reproduced first 
key to reproduce the keystream; and means for 
processing the distributed scrambled information 
signal with the reproduced keystream to descram- 
ble the distributed scrambled information signal. 

The present invention may be used to prevent, 
or guarantee termination of, such spoofing tech- 
niques as (1) substitution of pirate access speci- 
fications for the intended access specifications in 
the case when ail access authorization must be 
possessed by the descrambler; (2) substitution of 
pirate access specification for the intended access 
specifications in the case when only part of the 
access authorization must be possessed by the 
descrambler; and (3) interception of a deauthoriza- 
tion message, thus causing the descrambler to 
remain authorized through the use of obsolete keys 
and/or authorization data. 

The key generation data may include certain 
quantities related to the authorization process, and 
may be transmitted in the clear. These key genera- 
tion data quantities may be transmitted in the same 
message as the prekey and/or may already be 
stored in the descrambler. 

The contents of the key generation data and 
the prekey may be any data values that can be 
shared by all descramblers requiring the repro- 
duced key. An example of such data, used in the 
preferred embodiment, is the set of access tiers 
associated with a program in a subscription pay-TV 
system. 

In the preferred embodiment, the messages 
carrying encrypted prekey and the key generation 
data are transmitted in the signal carrying the ser- 
vices of a subscription pay-TV system, but they 
may also be transmitted separately. 

Once the descrambler has reproduced the 
prekey by decrypting the encrypted prekey it uses 
the reproduced prekey to process the key genera- 
tion data to reproduce the key. Since the key 
reproduction is performed inside the descrambler, 
any attacker wishing to alter the key generation 
data to a desired value must also alter the prekey 
to obtain the same output data. Such an attack 
would also require breaking the encryption algo- 
rithm. 

If the descrambler can be authorized by cor- 
rectly setting only a small number of bits of the key 
generation data, then an attacker may be able to 
find a suitable pair of prekey and key generation 
data within a short time. To thwart such an attack 
the encryption process in producing the key is 



enhanced. In accordance with such enhanced en- 
cryption process, th key generation data is en- 
crypted by the first key in accordance with the 
encryption algorithm to produce encrypted k y 

s generation data; and the encrypted key generation 
data is processed with the key generation data to 
produce the first key. In the face of such enhance- 
ment, an attacker would have to break the encryp- 
tion algorithm regardless of the use of the key 

10 generation data or the prekey by the descrambler. 
This enhanced encryption process is used in the 
preferred embodiment. 

If the prekey is delivered encrypted under a 
key provided in the descrambler, and the key gen- 

75 eration data for the key derived from the prekey 
includes a sequence number securely associated 
with the stored key, then the descrambler can be 
configured so that it will not decrypt the prekey and 
generate the required key unless it possesses the 

20 correct key identified by the sequence number. 
This technique, referred to as "timelock", ensures 
that the descrambler always requires up-to-date 
keys, and prevents attacks based on the use of 
obsolete keys. 

25 By repeated application of the basic techniques 

of the present invention, a chain of protection may 
be created whereby arbitrarily large blocks of au- 
thorization data are protected against spoofing at- 
tacks. 

30 Such chains can be specified in such a way 

that a group of descramblers which does not re- 
quire all the data in the chain can enter the chain at 
the earliest point which protects data applicable to 
that group of descramblers. 

35 Also, if more data must be protected than a 

single operation of the encryption algorithm can 
support, then additional data blocks are protected 
by chaining the system, wherein the output from 
one stage forms part of the input to the next In the 

40 first stage of the chain, the key generation number 
must be processed with a prekey. Subsequent 
stages may take several forms, such as described 
in the description of the preferred embodiments. 
Chaining is also appropriate when two or more 

45 groups of descramblers must use the same key. 
but do not process the same key generation data. 
Each group of descramblers can be provided one 
encrypted prekey in a common message, and de- 
rive the data and keys used in the subsequent 

so stages from key generation data acquired from 
messages referring to the later stages of the key 
reproduction process. The messages thus form a 
key generation chain. The entry point to the chain 
for each descrambler must be Identified by a se- 

55 curely protected quantity. 

A two-stage chain is used in program key 
generation in the preferred embodiment. Each 
block of key generation data represents the set of 
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access tiers required for a given category (group) 
of descramblers; and the key generation chain is 
completed with a stage that uses sensitive program 
attributes as key generation data 

Another featur of the key security system of 
the present invention is that it may be used in a 
scrambled signal communication system that is 
compatible with certain existing digital descram- 
bilng systems, such as the system described in 
U.S. Patent No. 4,712,238. In existing networks in 
which existing descramblers use a predetermined 
key hierarchy, such as that described in U.S. Pat- 
ent No. 4,712.238, it is possible to introduce a new 
family of descramblers into the network in a com- 
patible fashion by sharing a program key gen- 
erated by the final stage of the lowest level of the 
new key hierarchy which is different from the exist- 
ing system. This can be done provided that the two 
systems share the same access control .and 
keystream generation procedures below the point 
of linkage, and that the program key so generated 
by the new system (1) is valid for the same set of 
services in both systems; (2) is valid for the same 
period of time in both systems; and (3) has the 
same number of bits in both systems. Also it must 
be possible to deliver the program key produced in 
accordance with the present invention directly via a 
message in the presently existing system, prefer- 
ably in an encrypted form. 

Additional features of the present invention are 
described with reference to the description of the 
preferred embodiments. 

BRIEF DESCRIPTION OF THE DRAWING 

Figure 1A is a block diagram of a preferred 
embodiment of the scrambling and key generation 
data and prekey processing portions of the key 
security system of the present invention. 

Figure 1B is a block diagram of a preferred 
embodiment of a descrambler used with the 
scrambling and key generation data and prekey 
processing portions of the key security system 
according to the present invention shown in Figure 
1A. 

Figure 2 illustrates one technique according 
to the present invention of using several blocks of 
descrambler authorization data as key generation 
data and thereby protecting such authorization data 
from such alteration as would enable unauthorized 
use of the descrambler. 

Figure 3 illustrates an alternative technique 
according to the present invention of using several 
blocks of descrambler authorization data as key 
generation data and thereby protecting such au- 
thorization data from such alteration as would en- 
able unauthorized use of the descrambler. 



Figure 4 illustrates another alternative tech- 
nique according to the present invention of using 
several blocks of descrambler authorization data as 
key generation data and thereby protecting such 

5 authorization data from such alteration as would 
enable unauthorized use of the descrambler. 

Figure 5, which Is a combination of Figures 
5A and 5B, is a block diagram of a preferred 
embodiment of a portion of a key security system 

70 according to the present invention that processes 
key generation data and a prekey for distribution to 
descramblers. 

Rgure 6 is a block diagram of a further 
portion of the key security system of Rgure 5 In 

75 which a portion of the key generation data is pro- 
cessed to provide the key that is used to encrypt 
the prekey. 

Rgure 7, which is a combination of Rgures 
7A and 7B, is a block diagram of a preferred 

20 embodiment of a portion of a descrambler accord- 
ing to the present invention that processes the 
distributed key generation data and encrypted 
prekey to provide the key used for descrambling 
the distributed scrambled information signal. 

25 Rgure 8 is a block diagram of a further 

portion of the descrambler of Rgure 7 in which a 
portion of the key generation data is processed to 
provide the key that is used to decrypt the encryp- 
ted prekey. 

30 

DESCRIPTION OF THE PREFERRED EMBODI- 
MENTS 

35 Referring to Rgure 1A f a preferred embodi- 

ment of the scrambling and key generation data 
and prekey processing portions of the key security 
system of the present invention includes a first 
encryption unit 10, a second encryption unit 11, a 

40 first signal combining unit 12. a keystream gener- 
ator 13 and a second signal combining unit 15. The 
encryption units 10, 11 encrypt data in accordance 
with a predetermined encryption algorithm, such as 
the Data Encryption Standard (DES) algorithm. Oth- 

45 er encryption algorithms also may be used. The 
encryption algorithm must be such that it is com- 
putationally infeasible to perform decryption without 
prior knowledge of the encryption key. The DES 
algorithm is an example of such an encryption 

so algorithm. Both encryption units 10, 11 may be 
implemented in a single unit on a time-shared 
basis. The combining units 12, 15 process received 
signals in accordance with a predetermined pro- 
cessing scheme. In the preferred embodiment, the 

55 combining units 12, 15 are exclusive-OR (XOR) 
logic elements. 

The first encryption unit 10 encrypts first-key 
generation data 17 with a first-key prek y 18 in 
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accordance with a first encryption algorithm to pro- 
duce encrypted first-key generation data 19. The 
combining unit 12 processes the first-key genera- 
tion data 17 with the encrypted first-key generation 
data 19 to produce a first key 20. 

The second encryption unit 11 encrypts the 
first-key prekey 18 with a second key 22 in accor- 
dance with a second encryption algorithm to pro- 
duce an encrypted first-key prekey 23. The second 
encryption algorithm may be identical to the first 
encryption algorithm, or different algorithms may 
be used. 

The keystream generator 13 processes the first 
key 20 to produce a keystream 25; and the com- 
bining unit 15 processes an information signal 26 
with the keystream 25 to produce a scrambled 
information signal 27. 

The scrambled information signal 27, the first- 
key generation data 17 and the encrypted first-key 
prekey 23 are distributed to descramblers, such as 
the descrambler shown in Figure 1 B. 

Referring to Figure 1 B a preferred embodiment 
of a descrambler according to the present invention 
includes a second key generator 29, a first decryp- 
tion unit 30, a third encryption unit 31, a third 
combining unit 32, a second keystream generator 
33. a fourth combining unit 34 and an authorization 
processor 35. As in that portion of the key security 
system shown in Figure 1A, the combining units 
32, 34 process received signals in accordance with 
a predetermined processing scheme; and in the 
preferred embodiment, the combining units 32, 34 
are XOR logic elements. Also, the decryption and 
encryption units 30, 31 respectively decrypt and 
encrypt data in accordance with a predetermined 
encryption algorithm, such as the DES algorithm. 
Other encryption algorithms also may be used; and 
both encryption units 30, 31 may be implemented 
in a single unit on a time-shared basis. 

The second key generator 29 generates the 
second key 22. In an alternative embodiment, the 
second key is stored in the descrambler instead of 
being generated in the descrambler. The first de- 
cryption unit 30 decrypts the distributed encrypted 
first-key prekey 23 with the second key 22 in 
accordance with the second encryption algorithm 
to reproduce the first-key prekey 18. 

The third encryption unit 31 encrypts the dis- 
tributed first-key generation data 17 with the repro- 
duced first-key prekey 18 in accordance with the 
first encryption algorithm to reproduce the encryp- 
ted first-key generation data 19. The combining 
unit 32 processes the reproduced encrypted first- 
key generation data 19 with the distributed first-key 
generation data 1 7 to reproduce the first key 20. 

The keystream generator 33 processes the re- 
produced first key 20 to reproduce the keystream 
25; and the combining unit 34 processes the dis- 



tributed scrambled information signal 27 with the 
reproduced keystream 25 to descramble the dis- 
tributed scrambled information signal 27. 

The authorization processor processes the dis- 

5 tributed key generation data 17 in order to enable 
the descrambler. Such authorization processing is 
of the nature described in U.S. Patent No. 
4,712,238, wherein authorization signals such as 
cost and credit signals and a program mask and 

;o authorization word are processed to enable a de- 
scrambler. By using such authorization signals as 
first-key generation data, the authorization signals 
are protected against alteration, since if they are 
altered the first-key generation data distributed to 

75 the descrambler is likewise altered, whereby the 
descrambler will not be able to reproduce the first 
key by using altered key generation data. 

In some embodiments of the key security sys- 
tem of the present invention, the quantity of first- 

20 key generation data that must be processed by the 
authorization processor in the descrambler in order 
to enable the descrambler exceeds the encryption 
capacity of a single operation of the applicable 
encryption algorithm. In such a key security sys- 

25 tern, the key generation data is divided into data 
blocks and the first key is generated by a more 
complex series of encryption steps in order to 
protect ail of the blocks of data. Examples of sys- 
tems for performing such more complex process- 

30 ing are described with reference to Figures 2 
through 4. 

Referring to Figure 2, a system for producing 
the first key in both the descrambler of Figure 1B 
and that portion of the key security system shown 

35 in Figure 1A includes a first encryption unit 37, a 
second encryption unit 38 and a third encryption 
unit 39. Each of the encryption units 37, 38, 39 
respectively encrypts data in accordance with a 
predetermined encryption algorithm, such as the 

40 DES algorithm. Other encryption algorithms also 
may be used; and all three encryption units 37, 38, 
39 may be implemented in a single unit on a time- 
shared basis. 

The first encryption unit 37 encrypts a first 

45 block 41 of the first-key generation data 17 with the 
first-key prekey 18 in accordance with a first en- 
cryption algorithm to produce a first intermediate 
key 42. 

The second encryption unit 38 encrypts a see- 
so ond block 43 of the first-key generation data 17 
with the first intermediate key 42 in accordance 
with a second encryption algorithm to produce a 
second intermediate key 44. 

The third encryption unit 39 encrypts a third 
55 block 45 of the first-key generation data with the 
second intermediate key 44 in accordance with a 
third encryption algorithm to produce the first key 
20. 
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The first, second and third encryption algo- 
rithms may be identical or different. 

Th number of encryption units included in the 
system of Figure 2 is dependent upon the number 
of data blocks that are to be protected. 

Each encryption unit 37 t 38. 39 in the system 
of Figure 2 preferably further includes the combin- 
ing units shown in Figures 1A and 1B, wherein 
each block of key generation data is encrypted to 
produce an encrypted data block and also com- 
bined with the encrypted data block to produce the 
resultant key. 

Referring to Figure 3, another system for pro- 
ducing the first key in both the descrambler of 
Figure 18 and that portion of the key security 
system shown in Figure 1A includes a first encryp- 
tion unit 47, a second encryption unit 48 and a 
third encryption unit 49. Each of the encryption 
units 47, 48, 49 respectively encrypts data in ac- 
cordance with a predetermined encryption algo- 
rithm, such as the DES algorithm. Other encryption 
algorithms also may be used; and all three encryp- 
tion units 47, 48, 49 may be implemented in a 
single unit on a time-shared basis. 

The first encryption unit 47 encrypts a first 
block 51 of the first-key generation data 17 with the 
first-key prekey 18 in accordance with the first 
encryption algorithm to produce a first intermediate 
key 52. 

The second encryption unit 48 encrypts the 
first intermediate key 52 with a second block 53 of 
the first-key generation data 17 in accordance with 
a second encryption algorithm to produce a second 
intermediate key 54. 

The third encryption unit 49 encrypts the sec- 
ond intermediate key 54 with a third block 55 of the 
first-key generation data 17 in accordance with a 
third encryption algorithm to produce the first key 
20. 

The first, second and third encryption algo- 
rithms may be identical or different. 

The number of encryption units included in the 
system of Figure 3 is dependent upon the number 
of data blocks that are to be protected. 

Each encryption unit 47, 48, 49 in the system 
of Figure 3 preferably further includes the combin- 
ing units shown in Figures 1A and 1B, wherein 
each block of key generation data is encrypted to 
produce an encrypted data block and also com- 
bined with the encrypted data block to produce the 
resultant key. 

Referring to Figure 4, still another system for 
producing the first key in both the descrambler of 
Figure 1B and that portion of the key security 
system shown in Figure 1A includes a first encryp- 
tion unit 57, a second encryption unit 58, a third 
encryption unit 59, a first combining unit 60, a 
second combining unit 61. a third combining unit 



62 and a fourth combining unit 63. Each of th 
encryption units 57. 58, 59 respectively encrypts 
data in accordance with a predetermined encryp- 
tion algorithm, such as the DES algorithm. Other 

5 encryption algorithms also may be used; and all 
three encryption units 57, 58, 59 may be imple- 
mented in a single unit on a time-shared basis. The 
combining units 60, 61, 62, 63 preferably are XOR 
logic elements. Alternatively, other types of com- 

ro bining units may be used. 

The first encryption unit 57 encrypting a first 
block 65 of the first-key generation data 17 with the 
first-key prekey 18 in accordance wfth the first 
encryption algorithm to produce a first intermediate 

is key 66. 

The first combining unit 60 processes a second 
block 67 of the first-key generation data 17 with the 
first intermediate key 66 to produce a preencrypted 
second block of data 68. 

20 The second encryption unit 58 encrypts the 

preencrypted second block of data 68 with a third 
block 69 of the first-key generation data 17 in 
accordance with a second encryption algorithm to 
produce an encrypted second block of data 70. 

25 The second combining unit 61 processes the 

encrypted second block of data 70 with the second 
block of data 67 to produce a second intermediate 
key 71. 

The third combining unit 62 processes a fourth 
30 block 72 of the first-key generation data 17 with the 
second intermediate key 71 to produce a preen- 
crypted fourth block of data 73. 

The third encryption unit 59 encrypts the 
preencrypted fourth block of data 73 with a fifth 
35 block 74 of the first-key generation data 17 in 
accordance with a fourth encryption algorithm to 
produce an encrypted fourth block of data 75. 

The fourth combining unit 63 processes the 
encrypted fourth block of data 75 with the fourth 
40 block of data 72 to produce the first key 20. 

The first encryption unit 57 in the system of 
Figure 4 preferably further includes the combining 
units shown in Figures 1A and 1B, wherein each 
block of key generation data is encrypted to pro- 
45 duce an encrypted data block and also combined 
with the encrypted data block to produce the resul- 
tant key. 

The first, second and third encryption algo- 
rithms may be identical or different, 
so The number of encryption and combining units 

included in the system of Figure 4 is dependent 
upon the number of data blocks that are to be 
protected. 

Figures 5 through 8 show a preferred embodi- 
55 ment of the security system of trie present inven- 
tion incorporated within a pay television system, 
such as described in U.S. Patent No. 4.712,238. 

The key hierarchy of the system generally foi- 
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lows that described in U.S. Pat nt No. 4,613,901. 
H wever, in this embodiment, as described with 
reference in Figures 5 and 7, encrypted program 
prekeys and encrypted program prekey prekeys 
are distributed to the descramblers instead of en- 
crypted program keys. In such patent the program 
keys are referred to as "channel" keys. 

The output of this chain may be further modi- 
fied if an impulse-purchasable program has a free 
preview portion. In this case, one bit of the output 
of the program key generation chain is comple- 
mented during the free preview portion of the pro- 
gram. 

Referring to Figure 5, the security system in- 
cludes a CATV section for processing key genera- 
tion data pertaining to CATV (cable television) 
broadcasts and a DBS section for processing key 
generation data pertaining to DBS (direct broadcast 
satellite) broadcasts. These sections are embodied 
in a first control computer. The first control com- 
puter generates a CATV program rekey message 
78 (shown within dashed lines in Figure 5A), a DBS 
program rekey message 79 (shown within dashed 
lines in Figure 5B), a first category sequence num- 
ber 80. a second category sequence number 81 , a 
unit key index 82, a CATV category key 83a, a 
DBS category key 83b t a program prekey prekey 
84 and program cost data 85. The DBS category 
key 83b is different from the CATV category key 
83a. 

The CATV and DBS categories are distin- 
guished functionally by the fact that they have 
different access requirement definitions. In order 
that the same program key is reproduced for both 
categories, the output of the CATV section is used 
as the initial prekey for the DBS section. All CATV 
descramblers, therefore, must process both the 
CATV and DBS information in order to derive the 
program key. However, only the CATV authoriza- 
tion data is processed by an authorization proces- 
sor 35 to authorize a CATV descrambler. The con- 
catenation of CATV and DBS program key produc- 
tion and reproduction chains is shown in the com- 
bination of Figures 5(A) and 5(b) and in the com- 
bination of Figures 7(A) and 7(B). Additional cate- 
gories could precede the CATV category in the 
chain if, for example, additional data services were 
to be provided to specialized data descramblers as 
well as to CATV and DBS descramblers. If the 
chain includes more than two stages, the key gen- 
eration data for the additional stages includes a 
category number that is used as an address to 
select the program rekey message. 

The output of this chain may be further modi- 
fied if an impulse-purchasable program has a free 
preview portion. In this case, one bit of the output 
of the program key generation data chain is com- 
plemented during the free preview portion of the 



program. 

The CATV section includes first and second 
data registers, 86, 87, first and second encryption 
units 88, 89, first and second XOR gates 90, 91 , an 

5 expansion unit 92, and a truncation unit 93. 

Program prekey generation data. Is stored in 
the second register 87. This includes either a con- 
trol byte, data service tiers bytes 0. 1 and 2, and 
four subscription tiers, as shown in Figure 5A, or 

io the control byte and seven tier bytes 0-6, as deter- 
mined by the control byte. Each register section 
shown in the drawing contains one byte of data. 
The tier data indicates particular programming that 
may be descrambled on a subscription basis by 

75 CATV subscribers and on either a subscription or 
an impulse-pay-per-view (IPPV) basis by DBS sub- 
scribers. 

The expansion unit 92 combines the program 
prekey prekey 84, which is seven bytes long, with 

20 the first category sequence number 80, which is 
.one byte long, to produce an expanded eight-byte 
program prekey prekey 95. The first XOR gate 90 
processes the expanded program prekey prekey 
95 with spotbeam mask data stored in the first 

25 register 86 by modulo-2 addition to produce a 
preencrypted program prekey prekey 96. The first 
encryption unit 88 encrypts the preencrypted pro- 
gram prekey prekey 96 with the CATV category 
key 83a in accordance with a first encryption al- 

30 gorithm, such as the DES algorithm, to produce an 
encrypted program prekey prekey 97. Spotbeam 
mask data indicates geographical regions where 
descrambling of the broadcast television signal is 
authorized. The encrypted program prekey prekey 

as 97 in included in the CATV program rekey mes- 
sage 78. 

The second encryption unit 89 encrypts the 
program prekey generation data stored in the sec- 
ond register 87 with the program prekey prekey 84 

40 in accordance with a second encryption algorithm 
to produce encrypted program key generation data 
99. The truncation unit 93 reduces the length of the 
encrypted program generation data 99 by truncat- 
ing the least significant data byte to produce trun- 

45 cated encrypted program key generation data 100. 
which is seven bytes long. The truncation unit 93 is 
required only if the encryption algorithm produces 
an 8-byte output signal upon being keyed with a 7- 
byte key. The second XOR gate 91 processes the 

so seven-byte truncated encrypted program key gen- 
eration data 100 with the seven bytes of program 
prekey generation data stored in the second regis- 
ter 87 other than the control byte by modulo-2 
addition to produce a program prekey 101, which is 

55 forwarded to the DBS section (Figure 5B). The first 
and second algorithms may be the same or dif- 
ferent. 

The DBS section includes first, second and 
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third data registers 103, 104, 105, first, second and 
third encryption units 106. 107. 108. first, second 
and third XOR gates 109. 110, 111. an expansion 
unit 112. and first and second truncation units 113. 
114. 

Spotbeam mask data is stored in the first regis- 
ter 103. 

Intermediate program key generation data is 
stored in the second register 104. This includes 
either a control byte, data service tiers bytes 0, 1 
and 2. and four subscription tiers, as shown in 
Figure 5A. or the control byte and seven tier bytes 
0-6. 

Program key generation data is stored in the 
third register 105. This includes the first category 
sequence number (one byte) 80, the second cate- 
gory sequence number (one byte) 81, the unit key 
index (one byte) 82. and two bytes of program cost 
data 85. 

The expansion unit 112 combines the program 
prekey 101, which is seven bytes long, with the 
first category sequence number 80, which is one 
byte long, to produce an expanded eight-byte pro- 
gram prekey 116. The first XOR gate 109 pro- 
cesses the expanded program prekey 116 with 
spotbeam mask data stored in the first register 103 
by modulo-2 addition to produce a preencrypted 
program prekey 117. The first encryption unit 106 
encrypts the preencrypted program prekey 117 
with the DBS category key 83b in accordance with 
a first encryption algorithm, such as the DES al- 
gorithm, to produce an encrypted program prekey 
118. The encrypted program prekey 118 is in- 
cluded in the DBS program rekey message 79. 

The second encryption unit 107 encrypts the 
first program key generation data stored in the 
second register 104 with the program prekey 101 
in accordance with a second encryption algorithm 
to produce encrypted first program key generation 
data 120. The first truncation unit 113 reduces the 
length of the encrypted first program generation 
data 120 by truncating the least significant data 
byte to produce truncated encrypted first program 
key generation data 121, which is seven bytes 
long. The second XOR gate 110 processes the 
seven-byte truncated encrypted first program key 
generation data 121 with the seven bytes of pro- 
gram key generation data stored in the second 
register 104 other than the control byte by modulo- 
2 addition to produce an intermediate program key 
122. The intermediate program key 122 may be 
encrypted by another category key and distributed 
to descramblers as an encrypted program key in 
accordance with a modified version of the prior art 
system described in U.S. Patent No. 4.712.238. in 
the modified version of such prior art system, the 
descrambier thereof is modified by adding a stage 
that processes the program key reproduced therein 



in the same manner as the last stage of the de- 
scrambler shown in Figure 7B herein processes the 
intermediate program key 122. 

The third encryption unit 108 encrypts the sec- 
5 ond program key generation data stored in the 
second register 105 with the intermediate program 
key 122 in accordance with a third encryption 
algorithm to produce encrypted second program 
key generation data 124. The first, second and 
70 third algorithms may be the same or different. The 
second truncation unit 114 reduces the length of 
the encrypted second program generation data 124 
by truncating the least significant data byte to 
produce truncated encrypted second program key 
is generation data 125. which is seven bytes long. 
The third XOR gate 1 1 1 processes the seven-byte 
truncated encrypted second program key genera- 
tion data 125 with the seven bytes of program key 
generation data stored in the second register 104 
20 other than one of the permanent zero bytes by 
modulo-2 addition to produce a program key 126. 
The program key 126 is processed by the 
keystream generator 13 (Figure 1A) to produce a 
keystream 25 for scrambling a television signal. In 
25 some embodiments, only the audio portion of the 
television signal is scrambled by combination with 
the keystream 25. The program key 126 may be 
encrypted by another category key and distributed 
to descramblers as an encrypted program key in 
30 accordance with the prior art system described in 
U.S. Patent No. 4,712,238. 

The different encryption units may be imple- 
mented by a single encryption unit on a time 
shared basis. Other processing units likewise may 
35 be implemented in single processing units on a 
time shared basis. 

A portion of the key generation data is also 
processed in a second control computer at a signal 
distribution site to encrypt the category key 83 for 
40 distribution. Such processing is described with ref- 
erence to Figure 6. 

The category key 83 also is used to authen- 
ticate certain unit-specific authorization data such 
as the descrambier unit's access tiers and impulse 
45 pay-per-view (IPPV) credit limit, by using repeated 
applications of the procedure described in U.S. 
Patent No. 4,712,238. 

In addition, the category key is used to authen- 
ticate the second category sequence number 81, 
so which is used as a timelock on program key gen- 
eration, and the category number, which identifies 
the descrambler's entry point in the program key 
generation chain. 

For consumer descramblers supporting IPPV, 
55 the category key 83 is combined with the descram- 
bier unit address and certain other data to create a 
unit-specific key which decrypts IPPV-related data 
items to create a secure authenticator. using the 
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procedure described in U.S. Patent No. 4,712,238. 

The processing system of Figure 6 is included 
in the second control computer. This processing 
system includes first second, third and fourth en- 
cryption units 130, 131, 132, 133, first, second, 
third, fourth, fifth and sixth XOR gates 134, 135, 
136, 137, 138, 139 and first, second, third, fourth, 
fifth and sixth registers 140, 141, 142, 143, 144, 
145. Each of the registers stores eight bytes of 
data. 

The second control computer generates a cate- 
gory rekey message including the information 
shown within the dashed lines 147. and a unit key 
148 for each descrambler to which the category 
rekey message is addressed. The category key 83 
and the second category sequence number 81 are 
received from the first control computer (Figure 5). 
The category rekey message 147 is individually 
addressed to each descrambler. Lists of different 
unit keys 148 for the different descramblers, as 
based on a common unit key number 160, are 
provided to the second control computer. Different 
category rekey messages are provided for CATV 
and DBS subscribers. 

The first register 140 stores the second cate- 
gory sequence number 81, a category number 
(one byte), a two byte view history (VH) stack, one 
byte of unit control data, one byte of region code 
data, and two tier data bytes for tiers 0-15. 

The second register 141 stores seven tier data 
bytes for tiers 16-71. 

The third register 142 stores eight tier data 
bytes for tiers 72-135. 

The fourth register 143 stores two bytes of 
credit data pertaining to the descrambler to which 
the category rekey message 147 is addressed and 
five bytes of location code. 

The fifth register 144 stores eight tier data 
bytes for tiers 136-199. 

The sixth register 145 stores seven tier data 
bytes for tiers 200-255. 

The first encryption unit 130 encrypts the cate- 
gory key 83 with the unit key 148 in accordance 
with a first encryption algorithm, such as the DES 
algorithm, to produce a first intermediate encrypted 
category key 150. 

The first XOR gate 134 processes the first 
intermediate encrypted category key 150 with the 
data stored in the first register 140 by modulo-2 
addition to produce a second intermediate encryp- 
ted category key 151. 

The fourth XOR gate 137 processes the unit 
key 148 with the data stored in the second register 
141 by modulo-2 addition to produce a first en- 
crypted unit key 152. 

The second encryption unit 131 encrypts the 
second intermediate encrypted category key 151 
with the first encrypted unit key 152 in accordance 



with a second encryption algorithm to produce a 
third intermediate encrypted category key 1 53. 

The second XOR gate 135 processes the third 
intermediate encrypted category key 153 with th 

s data stored in the third register 142 by modulo-2 
addition to produce a fourth intermediate encrypted 
category key 154. 

The fifth XOR gate 138 processes the unit key 
148 with the data stored in the fourth register 143 

to by modulo-2 addition to produce a second encryp- 
ted unit key 155. 

The third encryption unit 133 encrypts the 
fourth intermediate encrypted category key 154 
with the second encrypted unit key 155 in accor- 

75 dance with a third encryption algorithm to produce 
a fifth intermediate encrypted category key 156. 

The third XOR gate 136 processes the fifth 
intermediate encrypted category key 156 with the 
data stored in the fifth register 144 by modulo-2 

20 addition to produce a sixth intermediate encrypted 
category key 1 57. 

The sixth XOR gate 139 processes the unit key 
148 with the data stored in the sixth register 145 by 
modulo-2 addition to produce a third encrypted unit 

25 key 158. 

The fourth encryption unit 133 encrypts the 
sixth intermediate encrypted category key 157 with 
the third encrypted unit key 1 58 in accordance with 
a fourth encryption algorithm to produce an en- 

oo crypted category key 159. The encrypted category 
key 159 is included in each category rekey mes- 
sage 147. Each category rekey message 147 also 
includes a three-byte unit key number 160. The 
unit key number 1 60 includes the one-byte unit key 

35 index 82, which is common to all descramblers for 
a given program. 

The first, second, third and fourth encryption 
algorithms may be the same or different. The first, 
second, third and fourth encryption units may be 

40 embodied in a single encryption unit on a time- 
shared basis. 

The scrambled television program, the cate- 
gory rekey messages 147 and each program rekey 
message 78, 79 are distributed to the descramblers 

45 of the respective CATV and DBS broadcast sys- 
tems. 

Figures 7 and 8 illustrate a descrambler, which 
is included in a preferred embodiment of the secu- 
rity system of the present invention for descram- 

so biing television signals having their program keys 
secured by that portion of the security system 
described with reference to Figures 5 and 6. 

Referring to Figure 7, a descrambler included 
in a CATV system, makes use of a CATV section 

55 (Figure 7A) for processing key generation data 
pertaining to CATV broadcasts and a DBS section 
(Figure 7B)"for processing key generation data 
pertaining to DBS broadcasts; whereas a descram- 
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b! r included in a DBS system makes use of only 
the DBS section (Figure 7B). The descrambter is 
adapted to process both the CATV rek y message 
78 and the DBS program rekey message 79. The 
descrambter includes first and second switches 
161, 162, which are placed in the DBS position 
when the descrambler is included in a DBS broad- 
cast system, or placed in the CATV position when 
the descrambler is included in a CATV broadcast 
system. The positioning of the first and second 
switches 161, 161 is determined in accordance 
with a category number that is used as an address 
to select the CATV or DBS program rekey mes- 
sage. 

The CATV section of the descrambler includes 
first and second data registers. 166, 167, a decryp- 
tion unit 168. an encryption unit 169, first and 
second XOR gates 170, 171 . and first and second 
truncation units 172, 173. 

Program prekey generation data, is stored in 
the second register 167. This includes either a 
control byte, data service tiers bytes 0, 1 and 2, 
and four subscription tiers, as shown in Figure 7A, 
or the control byte and seven tier bytes 0-6. 

The decryption unit 168 decrypts the encryp- 
ted prekey prekey 97 with the CATV category key 
83a in accordance with the first algorithm used by 
the encryption unit 88 in the first control computer 
(Figure 5A) to provide reproduce the preencrypted 
program prekey prekey 96. 

The first XOR gate 170 processes the repro- 
duced preencrypted program prekey prekey 96 
with spotbeam mask data stored in the first register 
166 by modulo-2 addition to reproduce the ex- 
panded program prekey prekey 95. Since the re- 
produced expanded program prekey prekey 95 is 
eight bytes long, the first truncation unit 172 trun- 
cates one byte therefrom to reproduce the program 
prekey prekey 84. The truncated byte is the first 
category sequence number 80, which is provided 
via the switch 162 to the DBS section for use as 
part of the second key generation data for re- 
producing the second program key, as will be 
described below in relation to the reproduction of 
the second program key. 

The encryption unit 169 encrypts the program 
prekey generation data stored in the second regis- 
ter 167 with the reproduced program prekey 
prekey 84 in accordance with the second encryp- 
tion algorithm used by the second encryption unit 
89 in the first control computer to reproduce the 
encrypted program key generation data 99. The 
truncation unit 173 reduces the length of the repro- 
duced encrypted program generation data 99 by 
truncating the least significant byte to reproduce 
the truncated encrypted program key generation 
data 100. which is seven bytes long. The second 
XOR gate 171 processes the reproduced seven- 



byte truncated encrypted program prekey genera- 
tion data 100 with the seven byt s of program key 
generation data stored in the second register 87 
other than the c ntrol byt by modulo-2 addition to 

5 reproduce the program prekey 101, which is for- 
warded to the DBS section (Figure 78). 

The DBS section includes first second and 
third data registers 183, 184, 185, a decryption unit 
186, first and second encryption units 187, 188, 

70 first, second and third XOR gates 189, 190, 191, 
and first, second and third truncation units 192, 
193, 194. 

Spotbeam mask data is stored in the first regis- 
ter 183. 

75 Intermediate program key generation data is 

stored in the second register 184. This includes 
either a control byte, data service tiers bytes 0, 1 
and 2, and four subscription tiers, as shown in 
Figure 7A, or the control byte and seven tier bytes 

20 0-6. 

Program key generation data is stored in the 
third register 185. This includes the first category 
sequence number (one byte) 80, the second cate- 
gory sequence number (one byte) 81, the unit key 

25 index (one byte) 82, and two bytes of program cost 
data 85. The the second category sequence num- 
ber 81 and the unit key index 82 are provided from 
the received category rekey message 147 to pro- 
vide a timeiock for reproduction of the program 

30 key. 

The decryption unit 186 decrypts the encryp- 
ted prekey 118 with the DBS category key 83b in 
accordance with the first algorithm used by the 
encryption unit 106 in the first control computer 

as (Figure 5B) to provide reproduce the preencrypted 
program prekey 1 1 7. 

The first XOR gate 189 processes the repro- 
duced preencrypted program prekey 117 with spot- 
beam mask data stored in the first register 1 83 by 

40 modulo-2 addition to reproduce the expanded pro- 
gram prekey 116. Since the reproduced expanded 
program prekey 116 is eight bytes Jong, the first 
truncation unit 192 truncates one byte therefrom to 
reproduce the program prekey 101. The truncated 

45 byte is the first category sequence number 80, 
which is provided via the switch 1 62 to the register 
185 for use as part of the second key generation 
data for reproducing the second program key, as 
will be described below. 

50 The first encryption unit 187 encrypts the first 

program generation data stored in the second reg- 
ister 184 with the reproduced program prekey 101 
in accordance with the second encryption algorithm 
used by the second encryption unit 107 in the first 

55 control computer to reproduce the encrypted first 
program key generation data 120. The truncation 
unit 193 reduces the length of the reproduced 
encrypted first program generation data 120 by 
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truncating the least significant byte to reproduce 
th truncated encrypted first program key genera- 
tion data 121, which is seven bytes long. The 
second XOR gate 190 processes the reproduced 
seven-byte truncated encrypted first program 
prekey generation data 121 with the seven bytes of 
program key generation data stored in the second 
register 1 84 other than the control byte by modulo- 
2 addition to reproduce the intermediate program 
key 122. 

The second decryption unit 188 decrypts the 
encrypted prekey 118 with the category key 83 in 
accordance with the first algorithm used by" the 
encryption unit 108 in the first control computer 
(Figure 5B) to provide reproduce the preencrypted 
program prekey 117. 

The first XOR gate 189 processes the repro- 
duced preencrypted program prekey 117 with spot- 
beam mask data stored in the first register 183 by 
moduto-2 addition to reproduce the expanded pro- 
gram prekey 116. Since the reproduced expanded 
program prekey 116 is eight bytes long, the first 
truncation unit 192 truncates one byte therefrom to 
reproduce the program prekey 101. The truncated 
byte is the first category sequence number 80, 
which is provided via the switch 162 to the register 
185 for use as part of the second key generation 
data for reproducing the second program key, as 
wili be described below. 

The first encryption unit 187 encrypts the first 
program generation data stored in the second reg- 
ister 184 with the reproduced program prekey 101 
in accordance with the second encryption algorithm 
used by the second encryption unit 107 In the first 
control computer to reproduce the encrypted first 
program key generation data 120. The truncation 
unit 193 reduces the length of the reproduced 
encrypted first program generation data 120 by 
truncating the least significant byte to reproduce 
the truncated encrypted first program key genera- 
tion data 121, which is seven bytes long. The 
second XOR gate 190 processes the reproduced 
seven-byte truncated encrypted first program 
prekey generation data 1 21 with the seven bytes of 
program key generation data stored in the second 
register 1 84 other than the control byte by modulo- 
2 addition to reproduce the intermediate program 
key 122. 

The second encryption unit 188 encrypts the 
second program key generation data stored in the 
third register 185 with the intermediate program 
key 122 in accordance with the third encryption 
algorithm used by the third encryption unit in the 
first control computer (Figure 5B) to reproduce the 
encrypted second program key generation data 
124. The third truncation unit 194 reduces th 
length of the reproduced encrypted second pro- 
gram generation data 124 by truncating the least 



significant data byte to reproduce the truncated 
encrypted second program key generation data 
125, which is seven bytes long. The third XOR gate 
191 process s th reproduced seven-byte trun- 

5 cated encrypted second program key generation 
data 125 with the seven bytes of program key 
generation data stored in the second register 185 
other than one of the permanent zero bytes by 
modulo-2 addition to reproduce the program key 

10 126. The program key 126 is processed by the 
keystream generator 33 (Figure 1B) to reproduce 
the keystream 25 for descrambling the scrambled 
television signal. 

The section of the descrambler that processes 

75 the category rekey message to reproduce the cate- 
gory key 83 is described with reference to Figure 
8. 

This processing section includes a key seed 
memory 200, a unit key generation data register 

20 201, first, second and third encryption units 202, 
203, 204, first, second, third and fourth decryption 
units 210, 211, 212, 213, first, second, third, fourth, 
fifth and sixth XOR gates 214, 215, 216. 217. 218. 
219 and first, second, third, fourth, fifth and sixth 

25 registers 220. 221 , 222, 223. 224. 225. Each of the 
registers stores eight bytes of data. The different 
encryption units may be implemented by a single 
encryption unit on a time shared basis. Other pro- 
cessing units likewise may be implemented in sin- 
so gie processing units on a time shared basis. 

The first register 220 stores the second cate- 
gory sequence number 81, which is also provided 
to the portion of the descrambler discussed in 
Figure 7, a category number (one byte), a two byte 

3S view history (VH) stack, one byte of unit control 
data, one byte of region code data, and two tier 
data bytes for tiers 0-15. 

The second register 221 stores seven tier data 
bytes for tiers 16-71. 

40 The third register 222 stores eight tier data 

bytes for tiers 72-135. 

The fourth register 223 stores two bytes of 
credit data pertaining to the descrambler to which 
the category rekey message 147 is addressed and 

46 five bytes of location code. 

The fifth register 224 stores eight tier data 
bytes for tiers 136-199. 

The sixth register 225 stores seven tier data 
bytes for tiers 200-255. 

so The tier data, program cost data, and credit 

data are processed by the authorization processor 
35 to determine whether the descrambier is to be 
enabled for descrambling the scrambled television 
signal, as described in the aforementioned U.S. 

55 Patent No. 4,712.238. 

The sixth XOR gate 219 processes the repro- 
duced unit k y 148 with the data stored in the sixth 
register 225 by modulo-2 addition to reproduce the 
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third encrypted unit key 158. 

The fourth decryption unit 213 decrypts the 
encrypted category key 159 with the reproduc d 
third encrypted unit key 158 in accordance with the 
fourth encryption algorithm used by the fourth en- 
cryption unit 143 in the second control computer 
(Figure 6) to reproduce the sixth intermediate en- 
crypted category key 157. 

The third XOR gate 216 processes the repro- 
duced sixth intermediate encrypted category key 

157 with the data stored in the fifth register 224 by 
modulo-2 addition to reproduce the fifth intermedi- 
ate encrypted category key 156. 

The fifth XOR gate 218 processes the repro- 
duced unit key 148 with the data stored in the 
fourth register 223 by modu!o-2 addition to repro- 
duce the second encrypted unit key 155. 

The third decryption unit 212 decrypts the re- 
produced fifth intermediate encrypted category key 

1 58 with the reproduced second encrypted unit key 
155 in accordance with the third encryption al- 
gorithm used by the third encryption unit 132 in the 
second control computer to reproduce the fourth 
intermediate encrypted category key 154. 

The second XOR gate 215 processes the re- 
produced fourth intermediate encrypted category 
key 154 with the data stored in the third register 
222 to reproduce the third intermediate encrypted 
category key 153. 

The fourth XOR gate 217 processes the repro- 
duced unit key 148 with the data stored in the 
second register 223 by modulo-2 addition to repro- 
duce the first encrypted unit key 155. 

The second decryption unit 211 decrypts the 
reproduced third intermediate encrypted category 
key 153 with the reproduced first encrypted unit 
key 152 in accordance with the second encryption 
algorithm used by the second encryption unit 131 
in the second control computer to reproduce the 
second intermediate encrypted category key 151. 

The first XOR gate 214 processes the repro- 
duced second intermediate encrypted category key 
151 with the data stored in the first register 220 to 
reproduce the first intermediate encrypted category 
key 150. 

The first decryption unit 210 decrypts the re- 
produced first intermediate encrypted category key 
150 with the reproduced unit key 148 in accor- 
dance with the first encryption algorithm used by 
the first encryption unit 130 in the first control 
computer to reproduce the category key 83. 

The unit key generation data register 201 
stores a three byte unit key number 160, which is 
included in the category rekey message 147, a 
one-byte fixed RAM value, which is stored in an 
internal RAM, and an eight byte unit address. The 
key generation number includes the unit key index 
82, which is also included in the second program 



key generation data stored In the register 185 and 
processed to r produce the program key 126. 

The first, second and third encryption units 
202, 203, 204 encrypt the unit key generation data 

s stored in the register 201 by using key seeds 
selected from the seed memory 200 in accordance 
with the contents of the unit key number 160 to 
reproduce the unit key 148 used to produce the 
encrypted category key 159 included in the cate- 

io gory rekey message 147 addressed to the de- 
scrambler. Such reproduction of the unit key is in 
accordance with the teaching of U.S. Patent No. 
4,634,808 to Karl E. Moerder. One byte of the unit 
key number 160, the unit key index 82, is used as 

is a timeiock to couple unit keys with program keys 
as described with reference to Figures 5B and 7B. 

The second category sequence number 81 and 
the unit key index 82 complete the timelocks link- 
ing the program key 126 to the category key 83 

20 and unit keys 148. 

The first category sequence number 80 and 
the unit key index 82 complete the timelocks link- 
ing the program key 126 to the category key and 
the unit keys of the modified version of the the 

25 prior art system described in U.S. Patent No 
4,712,238. 

In an alternative preferred embodiment, the in- 
vention is applied to the security concepts of 
shared addressing described in Internationa! Patent 

30 Application No. PCT/GB84/00237, filed- 2 July 
1983. In such an alternative embodiment, the unit 
key, generated as described above or by other 
means, is used to authenticate unit-specific data as 
described above, and to deliver a shared-address 

35 key, known to a small number of units which pos- 
sess the same shared address. One byte of the 
shared address, the shared address index, may 
optionally be authenticated and used for timeiock 
purposes. Category keys and the associated cate- 

40 gory number and sequence number are then deliv- 
ered to all descramblers having a shared address 
with a single message, encrypted under the shared 
address key. The category sequence number must 
be authenticated using the shared address key so 

45 that it may be used for timeiock purposes. The 
category key is used as before, but the final state 
of program key generation may also be extended 
to include the shared address index. 

50 

Claims 

1 . A system, comprising 
means (10. 12. 107. 110) for encrypting first-key 
55 generation data (17, 104) with a first-key prekey 
(18, 101) in accordance with a first encryption 
algorithm to produce a first key (20, 122); 
means (13, 108, 111) for processing the first key 



12 



23 



EP 0 343 805 A2 



24 



(20. 122) to produce a keystream (25); 
means (15) for proc ssing an information signal 
(26) with the keystream (25) to produce a scram- 
bled information signal (27); 
means (11, 106) for encrypting the first-key prekey 
(18, 101) with a second key (22, 83b) in accor- 
dance with a second encryption algorithm to pro- 
duce an encrypted first-key prekey (23. 118); 
means for distributing the scrambled information 
signal (27). the first-key generation data (17, 104, 
184); and the encrypted first-key prekey (23. 118); 
and 

a descrambier, including 

means (29. 210) for providing the second key (22, 
83); 

means (30, 186) for decrypting the distributed en- 
crypted first-key prekey (23, 118) with the second 
key (22, 83b) in accordance with the second en- 
cryption algorithm to reproduce the first-key prekey 
(18.101); 

means (31, 32, 287, 190) for encrypting the distrib- 
uted first-key generation data (17, 184) with the 
reproduced first-key (18, 101) prekey in accor- 
dance with the first encryption algorithm to repro- 
duce the first key (20, 122); 

means (33, 188, 191) for processing the repro- 
duced first key (20,122) to reproduce the 
keystream (25); and 

means (34) for processing the distributed scram- 
bled information signal (27) with the reproduced 
keystream (25) to descramble the distributed 
scrambled information signal. 

2. A system according to Claim 1 , further com- 
prising 

means (108, 111) for encrypting third key genera- 
tion data (105) with the first key (122) in accor- 
dance with a third encryption algorithm to produce 
a third key (126); 

means (13) for processing the third key (126) to 
produce the keystream (25); 
wherein the distributing means further distribute the 
third key generation data (105, 185); and 
a second descrambier, including 
means (210) for providing the second key (83); 
means (186) for decrypting the distributed encryp- 
ted first-key prekey (118) with the second key 
(83b) in accordance with the second encryption 
algorithm to reproduce the first-key prekey (101); 
means (187, 190) for encrypting the distributed 
first-key generation data (184) with the reproduced 
first-key prekey (101) in accordance with the first 
encryption algorithm to reproduce the first key 
(122); 

means (188, 191) for encrypting the distributed 
third key generation data (185) with the reproduced 
first key (122) in accordance with the third encryp- 
tion algorithm to reproduce the third key (126); 
means (33) for processing the reproduced third key 



(126) to reproduce the keystream (25); and 
means (34) for processing the distributed scram- 
bled information signal (27) with the reproduced 
keystream (25) to descramble the distributed 
5 scrambled information signal. 

3. A system according to Claim 1, further com- 
prising 

means (106, 109) for encrypting the first key gen- 
eration data (103) with the second key (83b) in 

to accordance with a third encryption algorithm to 
produce an encrypted first key (118); 
wherein the distributing means further distribute the 
encrypted first key (118); and 
a second descrambier, including 

75 means (210) for providing the second key (83); 

means (186) for decrypting the distributed encryp- 
ted first key (118) with the second key (83b) in 
accordance with the third encryption algorithm to 
reproduce the first key (101); 

20 means (187, 190, 188, 191, 33) for processing the 
reproduced first key (101) to reproduce the 
keystream (25); and 

means (34) for processing the distributed scram- 
bled Information signal (27) with the reproduced 
25 keystream (25) to descramble the distributed 
scrambled information signal. 

4. A descrambier for descrambling a scram- 
bled information signal produced by a system that 
encrypts first-key generation data (17, 104) with a 

30 first-key prekey (18. 101) in accordance with a first 
encryption algorithm to produce a first key (20, 
122); processes the first key to produce a 
keystream (25); processes the information signal 
(26) with the keystream to produce a scrambled 

35 information signal (27); encrypts the first-key 
prekey with a second key (22, 83b) in accordance 
with a second encryption algorithm to produce an 
encrypted first-key prekey (23, 118); and distrib- 
utes the scrambled information signal (27), the first- 

40 key generation data (17, 104. 184) and the encryp- 
ted first-key prekey (23, 118) the descrambier com- 
prising 

means (29, 210) for providing the second key; 
means (30, 186) for decrypting the distributed en- 
45 crypted first-key prekey (23, 118) with the second 
key (22, 83b) in accordance with the second en- 
cryption algorithm to reproduce the first-key prekey 
(18, 101); 

means (31. 32, 187, 190) for encrypting the distrib- 
so uted first-key generation data (17, 184) with the 
reproduced first-key prekey (18, 101) in accor- 
dance with the first encryption algorithm to repro- 
duce the first key (20, 122); 
means (188, 191, 33) for processing the repro- 
55 duced first key (20, 122) to reproduce the 
k ystream (25); and 

means (34) for processing the distributed scram- 
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bled information signal (27) with th reproduced 
keystream (25) to descramble the distributed 
scrambled information signal. 

5. A descrambler according to Claim 4 for 
descrambiing an information signal scrambled by a 
said system in which the first key (122) is pro- 
duced by encrypting the first-key generation data 
(104) with the first-key prekey (101) in accordance 
with the first encryption algorithm to produce en- 
crypted first key-generation data (120); and pro- 
cessing the first key generation data (104) with the 
encrypted first-key generation data (120) to pro- 
duce the first key (122), wherein the means for 
reproducing the first key comprise 

means (187) for encrypting the distributed first-key 
generation data (184) with the reproduced first-key 
prekey (101) in accordance with the first encryption 
algorithm to reproduce the encrypted first-key gen- 
eration data (120); and 

means (190) for processing the distributed first-key 
generation data (184) with the reproduced encryp- 
ted first-key generation data (120) to reproduce the 
first key (122). 

6. A descrambler according to Claim 5 for 
descrambiing an information signal scrambled by a 
said system in which the first key (122) is further 
produced by truncating the encrypted first-key gen- 
eration data (120) and exclusive-ORing the trun- 
cated first-key generation data (121) with the first 
key generation data (104) to produce the first key 
(122), wherein the means for reproducing the first 
key comprises 

means (193) for truncating the encrypted first-key 
generation data (120; and 

means (190) for exclusive-ORing the truncated en- 
crypted first-key generation data (121) with the 
distributed first-key generation (184) data to repro- 
duce the first key (122). 

7. A descrambler according to Claim 4 for 
descrambiing an information signal scrambled by a 
said system, wherein the first-key generation data 
(17) includes a quantity of data that must be pro- 
cessed by an authorization processor (35) in the 
descrambler in order to enable the descrambler, 
and wherein said quantity of data exceeds the 
encryption capacity of a single operation of said 
first encryption algorithm; and in which system the 
first key (126) is produced by encrypting a first 
block (104) of the first-key generation data with the 
first-key prekey (101) in accordance with the first 
encryption algorithm to produce an intermediate 
key (122); and encrypting a second block (105) of 
the first-key generation data with the intermediate 
key (122) in accordance with a third encryption 
algorithm to produce the first key (126), 

wherein the means in the descrambler for repro- 
ducing the first key comprise 
means (187, 190) for encrypting said first block 



(184) of the distributed first-key generation data 
with the reproduced first-key prekey (101) In accor- 
dance with the first encryption algorithm to repro- 
duce the intermediate key (122); and 

s means (188, 191) for encrypting said second block 

(185) of the distributed first-key generation data 
with the reproduced intermediate key (122) in ac- 
cordance with a third encryption algorithm to repro- 
duce the first key (126); 

io wherein the descrambler further includes an au- 
thorization processor (35) for processing the dis- 
tributed first-key generation data in order to enable 
the descrambler. 

8. A descrambler according to Claim 4 for 

15 descrambiing an information signal scrambled by a 
said system, wherein the first-key generation data 
(17) includes a quantity of data that must be pro- 
cessed by an authorization processor (35) in the 
descrambler in order to enable the descrambler, 

20 and wherein said quantity of data exceeds the 
encryption capacity of a single operation of said 
first encryption algorithm; and in which system the 
first key (20) is produced by encrypting a first 
block (41, 51) of the first-key generation data (17) 

25 with the first-key prekey (18) in accordance with 
the first encryption algorithm to produce a first 
intermediate key (42, 52); encrypting the first inter- 
mediate key (42, 52) with a second block (43, 53) 
of the first-key generation data in accordance with 

30 a third encryption algorithm to produce a second 
intermediate key (44, 54); encrypting the second 
intermediate key (44, 54) with a third block (45. 55) 
of the first-key generation data (17) in accordance 
with a fourth encryption algorithm to produce the 

35 first key (20), 

wherein the means in the descrambler for repro- 
ducing the first key comprise 
means (37, 47) for encrypting the first block (41, 
51) of the distributed first-key generation data (17) 

40 with the reproduced first-key prekey (18) in accor- 
dance with the first encryption algorithm to repro- 
duce the first intermediate key (42, 52); 
means (38, 48) for encrypting the reproduced first 
intermediate key (42 , 52) with the second block 

45 (43, 53) of the distributed first-key generation data 
(17) in accordance with the third encryption al- 
gorithm to reproduce the second intermediate key 
(44, 54); 

means (39, 49) for encrypting the reproduced sec- 
50 ond intermediate key (44, 54) with the third block 
(45. 55) of the distributed first-key generation data 
(17) in accordance with the fourth encryption al- 
gorithm to reproduce the first key (20); 
wherein the descrambler further includes an au- 
55 thorization processor (35) for processing the dis- 
tributed first-key generation data (17) in order to 
enable the descrambler. 
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9. A descrambler according to Claim 4 for 
descrambling an information signal scrambled by a 
said system, wherein the first-key generation data 
(17) includes a quantity of data that must be pro- 
cessed by an authorization processor (35) in the 
descrambler in order to enable the descrambler, 
and wherein said quantity of data exceeds the 
encryption capacity of a single operation of said 
first encryption algorithm; and in which system the 
first key (20) is produced by encrypting a first 
block (65) of the first-key generation data (17) with 
the first-key prekey (18) in accordance with the first 
encryption- algorithm to produce a first intermedi- 
ate key (66); processing a second block (67) of the 
first-key generation data (17) with the first inter- 
mediate key (66); to produce a preencrypted sec- 
ond block of data (68); encrypting the preencrypted 
second block of data (68) a third block (69) of the 
first-key generation data (17) in accordance with a 
third encryption algorithm to produce an encrypted 
second block of data (70); processing the encryp- 
ted second block of data (70) with the second 
block of data (67) to produce a second intermedi- 
ate key (71); processing a fourth block (72) of the 
first-key generation data (17) with the second inter- 
mediate key (71) to produce a preencrypted fourth 
block of data (73); encrypting the preencrypted 
fourth block of data (73) with a fifth block (74) of 
the first-key generation data (17) in accordance 
with a fourth encryption algorithm to produce an 
encrypted fourth block of data (75); and processing 
the encrypted fourth block of data (75) with the 
fourth block of data (72) to produce the first key 
(20). 

wherein the means in the descrambler for repro- 
ducing the first key comprise 
means (57) for encrypting the first block (65) of the 
distributed first-key generation data (17) with the 
reproduced first-key prekey (18) in accordance with 
the first encryption algorithm to reproduce the first 
intermediate key (66); 

means (60) for processing the second block (67) of 
the distributed first-key generation data (17) with 
the reproduced first intermediate key (66) to repro- 
duce the preencrypted second block of data (68); 
means (58) for encrypting the reproduced preen- 
crypted second block of data (68) with the third 
block (69) of the distributed first-Vey generation 
data (17) in accordance with the third encryption 
algorithm to reproduce the encrypted second block 
of data (70); 

means (61) for processing the reproduced encryp- 
ted second block of data (70) with the second 
block of data (67) to reproduce a second intermedi- 
at key (71); 

means (62) for processing the fourth block (72) of 
the distributed first-key generation data (17) with 
the reproduced second intermediate key (71) to 



reproduce the preencrypted fourth block of data 
(73); 

means (59) for encrypting the reproduced preen- 
crypted fourth block of data (73) with the fifth block 
s (74) of the distributed first-key generation data (17) 
in accordance with the fourth encryption algorithm 
to reproduce the encrypted fourth block of data 
(75); and 

means (63) for processing the reproduced encryp- 

70 ted fourth block of data (75) with the fourth block of 
data (72) to reproduce the first key (20); 
wherein the descrambler further includes an au- 
thorization processor (35) for processing the dis- 
tributed first-key generation data (17) in order to 

15 enable the descrambler. 

10. A descrambler according to Claim 4 for 
descrambling an information signal scrambled by a 
said system in which the first-key generation data 
(17) includes a sequence number (81) associated 

20 with the second key (83), 

wherein the means (210, 214) for providing the 
second key (83) include means for processing the 
distributed sequence number (81) to provide the 
second key (83), 

25 11. A descrambler according to Claim 4 or 10 

for descrambling an information signal scrambled 
by a said system in which the key generation data 
(17) further includes a key index (82) used for 
accessing data (200) processed to provide the sec- 

30 ond key (83) in the descrambler, 

wherein the means (202, 210) for providing the 
second key (83) further include means (202) for 
processing the distributed key index (82) to provide 
the second key (83). 

35 12. A descrambler according to Claim 4 for 

descrambling an information signal scrambled by a 
said system in which the first key (122) is pro- 
cessed to produce the keystream (25) by encryp- 
ting third key generation data (105) with the first 

40 key (122) in accordance with a third encryption 
algorithm to produce a third key (126); and the 
third key (126) is processed to produce the 
keystream (25); and the third key generation data 
(105. 185) is also distributed, 

45 wherein the means for processing the reproduced 
first key (122) to reproduce the keystream, com- 
prise 

means (188, 191) for encrypting the distributed 
third key generation data (185) with the reproduced 

so first key (122) in accordance with the third encryp- 
tion algorithm to reproduce the third key (126); and 
means (33) for processing the reproduced third key 
(126) to reproduce the keystream (25). 

13. A descrambler according to Claim 4 for 

55 descrambling an information signal scrambled by a 
said system in which first-key prekey generation 
data (87) is encrypted with a first-key prekey (84) 
prekey in accordance with a third encryption al- 
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gorithm to produce the first-key prekey (101); the 
first-key prekey prekey (84) is encrypted with the 
second key (83a) in accordance with a fourth en- 
cryption algorithm to produce an encrypted first- 
key prekey prekey (97); and the encrypted first-key 5 
prekey prekey (97). the first-key prekey generation 
data (87, 167) and a descrambier category iden- 
tification number (80) are also distributed, wherein 
the descrambier further comprises 
means (167) for decrypting the distributed encryp- 10 
ted first-key prekey prekey (97) with the second 
key (83a) in accordance with the fourth encryption 
algorithm to reproduce the first-key prekey prekey 
(84); 

means (169, 171) for encrypting the distributed 75 
first-key prekey generation data (167) with the re- 
produced first-key prekey prekey (84) in accor- 
dance with the third encryption algorithm to repro- 
duce the first-key prekey; and (101); 
switching means (162) responsive to the distributed 20 
descrambier category identification number (80) for 
causing the first-key prekey (101) that is used to 
encrypt the distributed first-key generation data 
(184) to be reproduced by either (a) decrypting the 
distributed encrypted first-key prekey (118) with 25 
the second key (83b) in accordance with the sec- 
ond algorithm or (b) decrypting the distributed en- 
crypted first-key prekey prekey (97) with the sec- 
ond key (83a) in accordance with the fourth al- 
gorithm to reproduce the first-key prekey prekey 30 
(84) and encrypting the distributed first-key prekey 
generation data (167) with the reproduced first-key 
prekey prekey (84) in accordance with the third 
algorithm. 
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© Reproduction of secure keys by using distributed key generation data. 



® A key security system provides for the reproduc- 
tion of secure keys by using distributed key genera- 
tion data and a distributed encrypted prekey. The 
system encrypts program key generation data (17) 
with a program key prekey (18) in accordance with a 
first encryption algorithm to produce the program 
key (20); processes the program key (20) to produce 
a keystream (25); and processes an information sig- 
nal (26) with the keystream to produce a scrambled 
information signal (27). The program key prekey (18) 
is encrypted with a category key (22) in accordance 
with a second encryption algorithm to produce an 
CO encrypted program key prekey (23). The scrambled 
^ information signal (27) the program key generation 
Ifl data (17) and the encrypted program key prekey 
O (23) are distributed to descramblers. The descram- 
bier within the key security system decrypts the 
00 distributed encrypted program key prekey (23) with 
*f the category key (22) in accordance with the second 
^ encryption algorithm to reproduce the program key 
O prekey (18); encrypts the distributed program key 
^ generation data (17) with the reproduced program 
qj key prekey (18) in accordance with the first encryp- 



tion algorithm to reproduce the program key (20); 
processes the reproduced program key (20) to re- 
produce the keystream (25); and processes the dis- 
tributed scrambled information signal (27) with the 
reproduced keystream (25) to descramble the dis- 
tributed scrambled information signal. The key gen- 
eration data includes authorization data that must be 
processed by the authorization processor (35) in the 
descrambler in order to enable the descrambler. The 
use of authorization data as key generation data 
protects the authorization data from spoofing attacks. 
When more data must be protected than a single 
operation of the encryption algorithm can support, 
then additional data blocks are protected by chaining 
the system, wherein the output from one stage forms 
part of the input to the next. The key generation data 
for the program key includes a sequence number 
securely associated with the category key to thereby 
"ttmelock" program key reproduction to the use of a 
current category key and thus prevent an attack 
based upon the use of an obsolete category key. 
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